This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

How to block traffic to specific udp/tcp ports

How to block traffic to specific udp/tcp ports

Peter_Kulmbrein
New Contributor II

ā€Ž07-06-2016 06:34 AM

Hi all,

I try to block traffic on specific tcp/udp ports on my x450a switch
I tried that with an ACL packed in a .pol file

entry udp_acl1{ if { source-address 0.0.0.0/0; protocol udp; destination-port 1119 ; } then { count udp ; deny; } } entry tcp_acl{ if { source-address 0.0.0.0/0; protocol tcp; destination-port 1119; } then { count tcp ; deny; } } entry udp_acl2{ if { source-address 0.0.0.0/0; protocol udp; destination-port 3724 ; } then { count udp ; deny; } } entry tcp_acl2{ if { source-address 0.0.0.0/0; protocol tcp; destination-port 3724 ; } then { count tcp ; deny; } }
was what i entered - when applying nothing happens and the counters are empty.
Did open the application and see that there is traffic on that ports using netstat.

Did i miss something? do you have some ideas?

Regards,
Peter
0 Kudos
9 REPLIES 9

Patrick_Voss
Extreme Employee

ā€Ž07-06-2016 10:17 AM

Hello Peter,

I do not believe the source-address is needed in this case. It won't hurt though. I would recommend giving each entry it's own counter to see if any of the rules are being hit and look into what David mentioned as well.
0 Kudos

Nick_Yakimenko
New Contributor II

ā€Ž07-06-2016 07:32 AM

Looks like you use x450 as L2 switch, not as a router. ACL rules may be applied only to traffic, which is being routed by device.
0 Kudos

Nick_Yakimenko
New Contributor II
In response to Nick_Yakimenko

ā€Ž07-06-2016 07:32 AM

Thanks for clarifying that
0 Kudos

Erik_Auerswald
Contributor II
In response to Nick_Yakimenko

ā€Ž07-06-2016 07:32 AM

EXOS ACLs generally apply to all frames, L2 and L3 does not matter. This is different from EOS (or Cisco) [router] ACLs. The EXOS ACLs work more like EOS policies than EOS ACLs.
0 Kudos

David_Choi
Extreme Employee

ā€Ž07-06-2016 06:53 AM

It looks like there is no problem on your policy except duplicated counter name. I just wonder if you applied the ACL on proper port or VLAN which the traffic is entering or outgoing.
You can simply check if there is the traffic on the port or VLAN you applied the ACL just by changing the ACL action from deny to permit and then check the counter. After changing the ACL actions, you may need to refresh the ACL.
0 Kudos
GTM-P2G8KFN